On 21.11.19 13:24, Dave Goodrich wrote:
I know I will incur some wrath for this but I have the Mayor breathing down my
neck. We stop nearly all spam now, but some does get through. Mostly it has
been mail from gmail and outlook servers that pass DKIM and SPF.
This morning a large number of mes
On Fri, 2019-11-22 at 13:01 +, RW wrote:
> On Fri, 22 Nov 2019 00:00:53 +
> Martin Gregorie wrote:
>
>
> > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor
> > header __SM1 From:name =~ /^John M Mayor$/
> > header __SM2 From:addr =~ /^john\@cityhall\.com$/
On Fri, 22 Nov 2019 00:00:53 +
Martin Gregorie wrote:
> describe SPOOFED_MAYOR Check for spoofed mail from the Mayor
> header __SM1 From:name =~ /^John M Mayor$/
> header __SM2 From:addr =~ /^john\@cityhall\.com$/
> meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1
> sco
Are you using or able to use 3.4.3-rc6 because there is a new feature
for this that you can implement called subjprefix that can mark external
emails with External in the subject. Depends on your usage.
On 11/21/2019 1:24 PM, Dave Goodrich wrote:
> Good day,
>
> I know I will incur some wrath for
On 2019-11-22 01:00, Martin Gregorie wrote:
describe SPOOFED_MAYOR Check for spoofed mail from the Mayor
header __SM1 From:name =~ /^John M Mayor$/
header __SM2 From:addr =~ /^john\@cityhall\.com$/
meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1
scoreSPOOFED_MAYOR 5.0
On Thu, 2019-11-21 at 14:22 -0700, Grant Taylor wrote:
> I like the logic.
>
> Unfortunately, you need to be very careful as you start to run into
> all the text permutations / homograph attacks.
>
Fair comment. What you saw was hacked together to show the principle,
but not tested.
Here's a te
On Thu, 2019-11-21 at 14:22 -0700, Grant Taylor wrote:
> On 11/21/19 12:14 PM, Martin Gregorie wrote:
> > describe SPOOFED_MAYOR Check for spoofed mail from the Mayor
> > header __SM1 From:name /display name/
> > header __SM2 From:addr /email address/
> > meta SPOOFED_MAYO
On Thu, 21 Nov 2019 11:12:47 -0800
Alan Hodgson wrote:
> Make sure your real mail streams are authenticated with DKIM and
> you're setup to use the whitelist_from_dkim rule; which I believe
> requires the header added by opendkim on received mail.
It doesn't.
On 11/21/19 12:14 PM, Martin Gregorie wrote:
describe SPOOFED_MAYOR Check for spoofed mail from the Mayor
header __SM1 From:name /display name/
header __SM2 From:addr /email address/
meta SPOOFED_MAYOR
(__VM1 && ! __VM2)
scoreSPOOFED_MAYOR 5.0
I like the logic.
Un
On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote:
>
> Any thoughts on that or has anyone done something similar?
>
I have a similar rule that spotsfires on From: headers with @ in the
name and a space in the address. I wrote it to spot rather obvious false
senders, but something like the fol
On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote:
> Good day,
> I know I will incur some wrath for this but I have the Mayor breathing
> down my neck. We stop nearly all spam now, but some does get through.
> Mostly it has been mail from gmail and outlook servers that pass DKIM
> and SPF.
> T
11 matches
Mail list logo
